Martin Wüthrich

Azure Active Directory – Alert if a specific user is logged on

If you want to get an email Alert, if a specific Account is used for Login within Azure Active Directory, you will currently be required to use Cloud App Security. The feature Cloud App Security is included within the Enterprise Mobility & Security Suite E5 (EMS E5; source).

Why you want to do this? Lets assume you have Fallback Administrator Account in Azure AD, and because they are Fallback, they are not protected with conditional Access or MFA.
So, within the Cloud App Security all the magic starts with the Investigate Menu, where you have to select the “Activity Log”:

In the opened activity log, on the left side, you can use the drop down list of the Queries Box to select “Succesful log in”. Your activities log should be refreshed with the results from the selected query (I really don’t know why the Activity Type has to be on failed):

Now you can go on and add a condition to the query, which filters for your fallback Admin Account:

You can then check the results of the query, and if all is fine, you can add the Queries as a Policy to the Alerting by a click on “New policy from search”:

The next step will be to give a meaningful name for the new policy, and how you would like to get alerted, I selected the Email function. And that’s it, if you test the login alert, you will receive the email within seconds (depending on your email Infrastructure: